25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Healthcare Leaders Need to Move Faster to Meet Cybersecurity Challenges

Posted By on Aug 19, 2016

The response from the healthcare industry to current cybersecurity threats has not been fast enough and basic IT security measures are still not being adopted, according to a Nashville-based FBI Supervisory Special Agent.

Speaking at last week’s CHIME/AEHIS LEAD Forum Event at Sheraton Downtown Nashville, Scott Augenbaum – an FBI Supervisory Special Agent in the Memphis Division – explained the attendees that too little is being done to keep healthcare data secure. He also pointed out that in the majority of cases, healthcare data breaches could easily have been prevented.

When Augenbaum is called upon to visit healthcare organizations following breaches of protected health information, he usually discovers that simple data security measures could have prevented the exposure or theft of PHI. “90 percent of what I see could easily have been prevented. I do not go into a data breach situation where I don’t say, now, wow, that was sophisticated.”

He also said that while investment in cybersecurity has increased in the healthcare industry, the situation is not getting better. Money is being thrown at the problem, but the problem is not being effectively tackled. If healthcare organizations fail to get the basics right, they leave gaping holes in their security defenses that can all too easily be exploited by hackers.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Augenbaum’s keynote speech, titled “The Health Information Executive’s Guide to Cybersecurity”, was intended to raise awareness of the problem and explain the seriousness of the current threat level. In the address, Augenbaum pointed out that foreign government-backed hackers pose a serious problem for the healthcare industry. Furthermore, the situation is likely to get a lot worse.

While foreign entities have not previously been interested in healthcare data, the situation today is very different. Augenbaum explained that part of China’s plan is for the country to become a world leader in healthcare innovation by 2020, yet the Chinese government wants to do this without committing funds to research. Instead, the focus is attacking healthcare organizations in the United States to gain access to healthcare information systems. According to Augenbaum, Russia, Nigeria, and other foreign countries are also using hackers to target U.S healthcare providers.

It is not only foreign governments that are keen to obtain healthcare data. Independent hackers from home and abroad are attempting to hold the healthcare industry to ransom by infiltrating their networks and stealing their data.If cybersecurity defenses are not improved, attacks are not only likely to continue, the situation is likely to get considerably worse.

One of the best places to start is with basic cyber-hygiene. Augenbaum suggested focusing on five key areas of basic cybersecurity – as detailed in the Sans Institute’s CIS Critical Security Controls for Effective Cyber Defense. (Details on this link). By following these guidelines, Augenbaum says it is possible to prevent 90% of healthcare data breaches.

These are:

  • Create an inventory of authorized and unauthorized devices
  • Create an inventory of authorized and unauthorized software
  • Ensure secure configurations for hardware and software on all devices (PCs, laptops, mobiles, tablets, servers, and IoT devices)
  • Ensure continuous vulnerability assessments are performed and vulnerabilities are remediated promptly
  • Ensure administrative privileges are controlled

Augenbaum also explained that many organizations have still not appointed a dedicated person to look after cybersecurity strategy at the highest level. The task is often given to people low down the chain who typically lack the relevant experience or understanding.

It was also explained that healthcare leaders need to build comprehensive IT security strategies. Augenbaum pointed out this is not a quick process.  “It takes a full three to five years to implement a comprehensive IT security strategy. People simply don’t understand this.” It is therefore essential that process starts now.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist